Stefan G. Weichinger
2017-Nov-11 10:02 UTC
[Samba] how safe is "net use" in a batch file? plus some encryption questions
A customer asked me if someone would be able to sniff (wireshark or something like that) a password if plugging into the same switch as their samba server. They use a desktop icon pointing at a plain old bat-file containing a "net use" command with the password right in there. I *assume* that the "net use" authenticates via encrypted communication? could someone confirm that? - Unfortunately we can't use domain context there because of the special structure there: the thin clients are members in a AD domain separate from our protected standalone samba server (and these worlds have to be kept separated). *and* I have to keep NTLMv1 etc activated to support old Windows XP VMs ... as far as I remember there are ways to activate safer protocols for XP as well, correct? (they insist on XP because of a specific software ...) - They also ask for encryption. I think I could encrypt the underlying layer via encfs or something, but that means that somebody has to provide a passphrase at boot/mount-time. I want to avoid a single-person-of-failure-scenario here: even if I am not available they have to be able to get that server up and running again in case of some reboot or so. Is it recommended to just place a container like Truecrypt or Veracrypt inside a Samba-share? Any thoughts or recommendations here, best practices ... ? have a nice weekend, Stefan
Rowland Penny
2017-Nov-11 12:36 UTC
[Samba] how safe is "net use" in a batch file? plus some encryption questions
On Sat, 11 Nov 2017 11:02:31 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> > A customer asked me if someone would be able to sniff (wireshark or > something like that) a password if plugging into the same switch as > their samba server. > > They use a desktop icon pointing at a plain old bat-file containing a > "net use" command with the password right in there. > > I *assume* that the "net use" authenticates via encrypted > communication? could someone confirm that?As far as I am aware, 'net use' sends the password unencrypted, so if someone is trying to 'sniff' the password, they will get it, but then if the password is stored in the bat file unencrypted and anybody can read the bat file, they wont need to 'sniff' the password.> > - > > Unfortunately we can't use domain context there because of the > special structure there: the thin clients are members in a AD domain > separate from our protected standalone samba server (and these worlds > have to be kept separated). > > *and* I have to keep NTLMv1 etc activated to support old Windows XP > VMs ... as far as I remember there are ways to activate safer > protocols for XP as well, correct? (they insist on XP because of a > specific software ...)You can make XP use NTLMv2, see here: imss.caltech.edu/node/396 I don't know who your customer is, but they really should find a more up to date way of doing things.> > - > > They also ask for encryption. I think I could encrypt the underlying > layer via encfs or something, but that means that somebody has to > provide a passphrase at boot/mount-time. I want to avoid a > single-person-of-failure-scenario here: even if I am not available > they have to be able to get that server up and running again in case > of some reboot or so. > > Is it recommended to just place a container like Truecrypt or > Veracrypt inside a Samba-share? Any thoughts or recommendations here, > best practices ... ?Cannot help you with encryption, I don't use it. However I feel that I should point out that the rest of the system seems to be so insecure, that if a badhat does get in, they will problem get the encryption keys as well. Rowland
Stefan G. Weichinger
2017-Nov-11 18:26 UTC
[Samba] how safe is "net use" in a batch file? plus some encryption questions
Am 2017-11-11 um 13:36 schrieb Rowland Penny:> As far as I am aware, 'net use' sends the password unencrypted, so if > someone is trying to 'sniff' the password, they will get it, but then > if the password is stored in the bat file unencrypted and anybody can > read the bat file, they wont need to 'sniff' the password.Yes, we know ;-) The thin client with the batch file is physically far away from the server which is in a protected rack inside a closed basement. I think I will try to wireshark such a session. Just to learn.> You can make XP use NTLMv2, see here: > > imss.caltech.edu/node/396Great, I will test that on monday. thanks.> I don't know who your customer is, but they really should find a more > up to date way of doing things.That's why we talk and discuss these issues.> Cannot help you with encryption, I don't use it. However I feel that I > should point out that the rest of the system seems to be so insecure, > that if a badhat does get in, they will problem get the encryption keys > as well.oh, come on, it's not that bad ;-) greets, Stefan
Possibly Parallel Threads
- how safe is "net use" in a batch file? plus some encryption questions
- how safe is "net use" in a batch file? plus some encryption questions
- how safe is "net use" in a batch file? plus some encryption questions
- how safe is "net use" in a batch file? plus some encryption questions
- how safe is "net use" in a batch file? plus some encryption questions